Java Insecure Cryptographic Algorithm
Description
Detects the use of insecure cryptographic keys in Java applications through SecretKeySpec implementations. This includes usage of weak cryptographic algorithms or hardcoded key material, which can lead to compromised encryption and potential unauthorized access to sensitive data.
Detection Strategy
• Identifies instantiations of SecretKeySpec class (including fully qualified names like javax.crypto.spec.SecretKeySpec)
• Checks if the cryptographic algorithm parameter uses known weak/insecure algorithms
• Verifies if the key material is hardcoded as a string literal in the code
• Reports a vulnerability if either the algorithm is weak or the key material is hardcoded
Vulnerable code example
import javax.crypto.spec.SecretKeySpec;
public class InsecureKeyDerivation {
public static SecretKeySpec createKey() {
String key = "ThisIsHardcoded"; // Vulnerable: Using hardcoded key material
return new SecretKeySpec(key.getBytes(), "AES");
}
}✅ Secure code example
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import java.security.SecureRandom;
public class SecureKeyDerivation {
private static final int ITERATIONS = 65536; // High iteration count for PBKDF2...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.